grc 10 training

www.keylabstraining.com

GRC 10 ONLINE TRAINING

[email protected]: +1-908-366-7933India: +91-9550645679Skype : keylabstraining


ACCESS CONTROL 10.0: INTRODUCTION

Access Control 10.0: IntroductionSAP BusinessObjects Access Control is an enterprise software application

that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance.

The application streamlines compliance processes, including access risk analysis and remediation, business role management, access request management, superuser maintenance, and periodic compliance certifications. It delivers immediate visibility of the current risk situation with real-time data.

Access Control 10.0 is part of newly released SAP Governance Risk & Compliance (GRC) 10.0 which also comprised of Process control 10.0, Risk Management 10.0 and Global Trade Services.

The greatest value in GRC 10.0 is the Harmonization of Access Control, Process Control and Risk

management which ultimately results in shared processes, data and user interface with reduction in redundancy.


ACCESS CONTROL 10.0: LANDSCAPE


Front end:The front-end needs a web browser or (optionally) a client installation of the NetWeaver Business ClientThe web browser can be used to access the embedded NWBC or GRC via the NetWeaver PortalThe Adobe flash player 10 is used for displaying dashboards e.g. RM heat mapOverview of SAP BusinessObjects Access Control 10.0SAPGUI 7.10 PL 15 or higher is required for administration or customizing tasks –note that SAPGUI 7.20 is recommended due to the end-of-maintenance of SAPGUI 7.10The Crystal Reports Adapter (CRA) is required for viewing (GRC) Crystal Reports.


Portal:The NetWeaver Portal 7.02 can be used optionallyThe GRC Portal Content contains the GRC Portal UI elements to access the GRC suiteThe Portal’s AS Java can contain an Adobe Document Services instance, in effect Portal and ADS may be shared on one AS Java instanceERP and Non SAP Business Applications:The GRC solutions can communicate with SAP ERP and non-SAP business applications via plug-insNW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA)PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA)GTS functions are part of the SLL-PI plug-in, for example, for GTS integration into the Logistics, HR, FI/CO and/or HCM processes in SAP ERPNon-SAP ERP systems can also be connected via adapters from an SAP Partner company


BI Content:NetWeaver BW can be used for reporting via the GRC BI ContentThe GRC BI Content is part of BI Content 7.06NetWeaver BW 7.02 is used for the GRC BI Content.Identity Management:AC can be integrated bi-directionally to IdM solutions for provisioning and risk analysisNetWeaver IdM7.2 is required for integrating with AC 10.0

Adobe Document Services:An instance of Adobe Document Services (ADS) should be accessible from the GRC AS ABAP for generating offline forms .Although it is technically optional, it is highly recommended for generating PDF reportsThese ADS can be an existing instance and can also be shared with other applicationsThe Portal’s AS Java can contain an Adobe Document Services instance, so Portal and ADS may be shared on one AS Java instance.


NEW AND ENHANCED FEATURES:

1) Enhanced Visualization and Streamlined Navigation – This enhancement provides a common look and feel with configurable role-based user access for GRC functions from the SAP Portal or SAP

NetWeaver Business Client (NWBC). Streamlined user navigation with shared work centers emphasizes function rather than component. This significantly reduces duplication of menu items

(e.g., one inbox, not three) and makes possible sharing of data and functions. Menu items seen by the individual user within each work center is controlled by the user’s GRC role(s). This also enables

data shared across components to be viewed differently by different users


NEW AND ENHANCED FEATURES:

Improved Reporting – GRC reporting leverages the Business Suite ABAP List Viewer (ALV) –

Crystal integration framework to present and personalize ABAP (WebDynpro) reports and convert into Crystal reports. This lowers the TCO and extends the benefits of Crystal without the need for a separate BOE server. It also reduces the time spent by business users on reporting needs. Custom Crystal reports with embedded graphics can also be created easily with Crystal Designer.


SEPARATION OF DUTIES

Separation of duties (SoD) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties

http://en.wikipedia.org/wiki/Fraud

http://en.wikipedia.org/wiki/Error


SOD RISK MANAGEMENT PROCESS OVERVIEW SAP has developed a three-phase approach

to risk management. By applying this method, it is possible to implement a process for segregation of duties (SoD) risk management.The process begins by defining the risks, and building and validating rules.


SOD RISK MANAGEMENT PROCESS OVERVIEW


Segregation of Duties and Critical Actions:In a Sarbanes Oxley Act regulated environment, business need to define their access controls based on segregation of duties (SoD). In some cases, it is challenging to define SoDs because in many cases, processes are shared among business areas. Below are examples of risks in non-segregated duties


Rule Building and Validation :After risk recognition, the second step in Phase One of the SoD Risk Management process is Rule Building and Validation.


Rule Building Process:Rules include risks, functions, and business processes. The main components of the rule building process are shown below. Access Control automatically generates the rules as permutations of the different actions and permissions derived from the combined functions.


Functions:Functions include specific actions commonly used for a job role or set of tasks, for example Maintain General Ledger Master Records or Post Journal Entry. Authorization to perform certain combinations of functions results in a risk.


Rule Structure:Actions and permissions combine to form functions. Functions in certain combinations result in a risk. Risks are associated with business processes and all the components come together to form rules. Rules are collected in a rule set.


PHASE TWO OVERVIEW

The purpose of this phase is to provide business process analysts and business process owners with alternatives for correcting or eliminating risk.Risk AnalysisDuring Risk Analysis, perform a security analysis to identify risks for:Simple rolesComposite rolesUsers

Review the roles to determine how certain personnel might be restricted from performing undesired activities by checking:ObjectsFieldsValues


PHASE 2 FIGURE


RISK REMEDIATION OVERVIEW

The purpose of the remediation phase is to determine alternatives for eliminating issues in roles. The recommended approach is to resolve issues in the following order:Single rolesThis is the simplest place to startPrevents SoD violations from being reintroducedComposite rolesUsersRisk RemediationUse a simulation to perform a "what if" analysis on the assignment or removal of user actionsUse the Management view or Risk Analysis reports for analysisSecurity Administrators should document the planBusiness Process Owners should be involved and approve the planSimulationSimulation allows you to preview the result of changes to roles and user actions to see if your changes create new risk situations before implementing them Decide whether to add or remove a value


MITIGATION CONTROLS


EXAMPLES OF MITIGATION CONTROLS

Examples of Mitigation ControlsReview of strategies and authorization limitsReview of user logsReview of exception reportsDetailed variance analysisEstablish insurance to cover impact of a security incidentTypes of Mitigation ControlsPreventative Controls: minimize the likelihood or impact of a risk before it actually occursDetective Controls: alert when a risk takes place and enable the responsible person to initiate corrective measuresBest Practices

Segregate creation and approval from assignmentUse mitigation as a last resort for exceptions left over from remediation efforts that have legitimate business reasons to not use SoD controls


CONTINUOUS COMPLIANCE


THE GRC ARCHITECTURE

GRC solutions share a common technology platform and can be installed on a single NetWeaver ABAP system.


GRC COMPONENTS

ComponentsGRC 10.0 runs on AS ABAP 7.02 SP6 or higher. The installation components are broken out as follows:Access Control, Process Control, and Risk Management are contained in one ABAP add-on GRCFND_AGlobal Trade Services resides in a separate add-on SLL-LEG

Nota Fiscal Eletronica has its own add-on SLL-NFEContent Lifecycle Management (CLM) contains functions for transporting GRC business data, for example, Access Control rules or Process Control controls. CLM has the same version requirements as the GRC 10.0 solution and is installed during the GRC installation. CLM can be disabled if not required.GRC customizing is transported using the standard ABAP transport system.


ACCESS CONTROL 10.0 ARCHITECTURE

NetWeaver ABAP is the underlying platform

Harmonized with the other GRC 10.0 applicationsLeverages existing NWABAP investments:Role comparison at Action or Permission levelComparison between roles within Access ControlHarmonization with Process Control and Risk Management allows users to leverage master data


ACCESS CONTROL ARCHITECTURE COMPONENTS

Access Control constitutes a set of core components:

Access Risk Analysis and Management

Compliance Certification Review

Role Management

Role Mining

Superuser Access Management

Access Control Repository


GRC COMMON COMPONENTS

Access Control uses a set of GRC common components as part of the harmonization of the GRC suite. These components are also available to Process Control and Risk Management:

GRC Master Data

Workflow

Reports and Dashboards


NETWEAVER COMPONENTS

Access Control uses ABAP Web Dynpro as the user interface or UI technology.

The GRC solution can be presented to end users by using either NWBC (NetWeaver Business Client) or through the use of SAP Portal.

Configuration for Access Control is executed using the SAP IMG via the SAP GUI, which is common across the GRC suite.

Access Control connects to SAP and non-SAP systems with adapter or IdM systems using the integration framework.

The ABAP database is the common repository for all Access Control data.


SECURITY AND AUTHORIZATIONS

You are planning a solution and must be able to explain object-level security, authorization requirements, and identify delivered roles and security objects.Object-Level Security

Object-Level Security gives you the ability to limit access for end users to what they need to see at a granular level. you can limit access by function, risk, user, or anyother authorization objects available within role maintenance.


AuthorizationsTo configure the IMG, you need:

PFCG role(s) relative to specific components to be configured

PFCG role(s) sufficient to configure SAP workflow and other non-GRC technologies

PFCG role(s) on GRC and non-GRC systems to set up Continuous Monitoring

To access GRC 10.0 solutions, you must have at least the following:

Portal authorization or NWBC authorization

Applicable PFCG base roles


PFCG role(s) relative to specific components (AC, PC, RM) to be used

Using Access Control with GRC Solutions

If you use Access Control with other GRC solutions, you can leverage this functionality to:

Manage PFCG roles used with GRC

Create GRC users

Assign GRC PFCG roles to users

Perform SoD analysis for PFCG role authorizations

Assignment of entity-level authorization (via application role assignment) and ticket-based authorization (via substitution or transfer) must be done in the respective component.


INSTALLATION Installation Prerequisites –ServerNetWeaver AS ABAP 7.02 SP6 or higher

Installation Prerequisites –Back-endFor ERP systems that will install Access Control Plug-In the following prerequisites must be met:For SAP ERP system 4.6C, the system must be at SAP_BASIS Support Pack 55 For SAP ERP 4.70 system, the system must be at SAP_BASIS Support Pack 63 For ERP 2004 system, the system must be at SAP BasisSupport Pack 18 For ERP 6.0 system, the system must be at SAP_BASIS Support Pack 13 For NetWeaver systems that will install Access Control Plug-In the following prerequisites must be met:For SAP Basis 4.6C, the system must be at SAP_BASIS Support Pack 55 For NW 6.20 system, the system must be at SAP_BASIS Support Pack 63 For NW 6.40 system, the system must be at SAP_BASIS Support Pack 18 For NW 7.00 system, the system must be at SAP_BASIS Support Pack 13 For NW 7.01, the system must be at SAP_BASIS Support Pack 02For NW 7.02, the system must be at SAP_BASIS Support Pack 01 For SAP Basis 710 system, the system must be at SAP_BASIS Support Pack 04


WHERE TO OBTAIN THE GRC 10.0 SOFTWARE

http://service.sap.com/swdc


CONTENT OF THE INSTALLATION ZIP


ACCESS CONTROL INSTALLATION NOTES

Installation NotesSAP Note 1490996: Install SAP GRC Access Control 10.0 on SAP NW 7.02 SAP Note 1500168: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 46C NW SAP Note 1497971: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 620 NW SAP Note 1501882: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 640 NW SAP Note 1500689: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 700 NW SAP Note 1503749:Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 710 NW SAP Note 1500169: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 46C ERP SAP Note 1497972: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 620 ERP SAP Note 1501880: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 640 ERP SAP Note 1500690: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 700 ERP


INSTALLATION OF MAIN COMPONENTS OFAC/PC/RM 10.0

General Steps:1.Main installation components:GRCFND_A2.Download the installation packages from Service Marketplace3.Install with the transaction SAINT4.Follow the detailed instructions from the SAP Note 14909965.Apply the most recent Support Packages

INSTALLATION OF PLUG-IN FOR AC/PC 10.0 ON ERP


General Steps:1.Main installation components:GRCPINWGRCPIERP2.Download the installation packages from SMP3.Install with the transaction SAINT4.Follow the detailed instructions from the SAP Notes 1500689 and 15006905.Apply the necessary Support Packages if there is any

Note: Plug-Ins vary depending on back end ERP system.

Attention:The AC 10.0 plug-ins will upgrade any existing RTA from previous AC releases. This means that any AC instance on running 5.X will stop working after the plug-ins are installed.


GRC 10.0 POST-INSTALLATION

1.Client Copy2.Activating Applications in Client3.Check SAP ICF Services4.Activating BC Sets5.Creating the Initial User in the ABAP System6.Activate Profile of Roles Delivered by SAP7.Activate Common Workflow


CLIENT COPY

T-code which starts from SCC*

1. Choose Administration --> System administration --> Administration >Client admin.>Client Copy-->Local Copy. 2. Select a copy profile. 3. Enter the source client. click the tick mark it will take some time .... you can refer the link below http://help.sap.com/printdocu/core/print46c/en/data/pdf/bcctscco/bcctscco.pdf

http://help.sap.com/printdocu/core/print46c/en/data/pdf/bcctscco/bcctscco.pdf

http://help.sap.com/printdocu/core/print46c/en/data/pdf/bcctscco/bcctscco.pdf


ACTIVATING APPLICATIONS IN CLIENT

Call the customizing with transaction SPROChoose SAP Reference IMGExpand the Governance, Risk and Compliance > General Settings node and choose Activate Applications in Client

Choose New Entries


ACTIVATING APPLICATIONS IN CLIENT

Click the first row and select the GRC solution(s) required for your projectThen choose the ActivecheckboxClick SaveNote: you may have to create a transport requestEXAMPLE IS OF GRC –PC,YOU MAY NEED AC IF YOU NEED ONLY ACCCESS CONTROL


CHECK SAP ICF SERVICES

Call transaction SICFClick the Execute icon



Expand the node default_host-> sap -> publicRight click publicand choose Activate ServiceChoose Activate Service for all sub-nodes



Proceed likewise with the node default_host-> sap -> bcActivate all sub-nodes too



Now activate the node default_host-> sap -> grcAlso activate all sub-nodes


ACTIVATING BC SETS

Call transaction SPRO againClick SAP Reference IMGClick Existing BC Sets in the next screen


ACTIVATING BC SETS Select a BC SetClick “BC Sets for Activity”


ACTIVATING BC SETS From the menu choose Goto >Activation TransactionThese BC sets can also be activated via transaction code SCPR20


ACTIVATING BC SETS Activate the corresponding BC sets.Proceed likewise for all required PC, RM, and/or AC BC setsFor a complete list of BC Sets please refer to the PC/RM/AC install guide!

NOTE:BELOW EXAMPLE IS FOR ACTIVATION ON TIME FRQUENCY FOR GRCPC:PROCESS CONTROL.


ACTIVATING BC SETS When activating always use “Expert” mode


CREATING THE INITIAL USER IN THE ABAP SYSTEM

Call transaction SU01, create a userAssign following role to access GRC applications, such as AC•SAP_GRC_FN_BASE

Assign following power user role to the person doing the customization of the product•SAP_GRC_FN_ALL

Assign following role to the business users•SAP_GRC_FN_BUSINESS_USER

Assign following role if you use NWBC as front end UI instead of Portal•SAP_GRC_NWBC


ACTIVATE PROFILE OF ROLES DELIVERED BY SAP

•Activate profile of roles delivered by SAP via transaction PFCG if you want to use them directly•For the list of the roles, please refer to Security Guide -here is an example of the SAP-GRC-NWBC role•Please use transaction “SUPC” for mass profile generation in case you want to generate profiles for multiple roles


ACTIVATE COMMON WORKFLOW

Call transaction SPROagainClick SAP Reference IMGAccess Workflow node under Governance, Risk and Compliance > General SettingsExecute Perform Automatic Workflow Customizing


ACTIVATE COMMON WORKFLOW PERFORM AUTOMATIC WORKFLOW CUSTOMIZING

Execute Perform Automatic Workflow CustomizingMake sure that all tasks are green after the generation as show in the screenshotNote: you may have to create a transport requestDuring the activation procedure you might receive an error message, then check the created system user „WF-BATCH“ in SU01 if the user has sufficient roles assigned –see SAP Note 1251255and the GRC Security Guide.You may need to run program RHSOBJCH to fix HR control tables


ACTIVATE COMMON WORKFLOW PERFORM AUTOMATIC WORKFLOW CUSTOMIZING

Maintain the Prefix Numbers to your needs or like shown in the screenshot


ACTIVATE COMMON WORKFLOWPERFORM TASK-SPECIFIC CUSTOMIZING

Execute PerformTask-Specific CustomizingExpand the GRCnode.Click the Assign Agents link at the right side of the GRCnode.

Note: if no folders are visible below the “GRC“ folder please run report “RS_APPL_REFRESH” in SE38



Assign Task as General Task via Task Attribute.Make sure all tasks that are not using Background task have been assigned as General Task.



Click Activate event linking



Click the Properties iconSet the Linkage Status to No errors Make sure Event linkage activated is checked.Set Error feedback to Do not change linkageBe sure to activate all WS.



Repeat the first four steps to activate the solutions you need (e.g. for Access Control “GRC-AC”)

Note: task-specific customizing for GRC-AC is notavailable in case you have the GRC plug-ins installed in your GRC system, check the Appendix for perfomingthe customizing in this case


POST-INSTALLATION TO FIRST EMERGENCY ACCESS

•RequirementsoAdding connector to SUPMG scenariooCreating users and assigning rolesoVerifying time zones•ConfigurationoMaintaining AC ownersoAssigning owners to firefighter IDsoAssigning firefighter IDs and controllers to firefightersoCreating reasons codes•Starting an emergency access session•Managing LogsoRunning log collectionoViewing the firefighter reports


MAINTAIN CONFIGURATION SETTINGS


ADDING CONNECTOR TO SUPMG SCENARIO

To create access requests it is required to have the SUPMG scenario linked to the connector, this is done via IMG:


CREATING USERS AND ASSIGNING ROLES

Please create users and roles as needed. Remember to synchronize again the repository (program GRAC_REPOSITORY_OBJECT_SYNC ). These roles are provided as examples and customer roles need to be created based on their authorizations.In the AC systemRole

Firefighter userSAP_GRAC_SUPER_USER_MGMT_USERFirefightercontrollerSAP_GRAC_SUPER_USER_MGMT_CNTLRFirefighterownerSAP_GRAC_SUPER_USER_MGMT_OWNERIn the target systemRole

Firefighter IDSAP_GRAC_SPM_FFIDIn the AC system the Firefighter ID role is configured in ParamID 4010 (Firefighter ID role name)Reminder: end users will require also the roles based on SAP_GRC_FN_BASEand SAP_GRC_FN_BUSINESS_USER


VERIFYING TIME ZONESFor logs to be properly captured the time zones in the connected ERP systems need to be configured to match the operating system and also the AC server time zone. This is done in IMG under SAP NetWeaverGeneral Settings Time Zones Maintain System Settings


CONFIGURATIONMaintaining AC ownersAssigning owners to firefighter IDsAssigning firefighter IDs and controllers to firefightersCreating reasons codes


MAINTAINING AC OWNERSGo to NWBC Access Management GRC Role Assignments Access Control Owners and maintain the controllers and owners as shown below:

After this is done it is possible to assign those to FireFighterIDs.


ASSIGNING OWNERS TO FIREFIGHTER IDS

In Access Management go to SuperuserAssignment and click on Owners. Here owners are assigned to firefighter IDs.


ASSIGNING FIREFIGHTER IDS AND CONTROLLERS TO FIREFIGHTERS

Now you need to assign firefighter IDs and controllers to users. This is done by going to SuperuserAssignment Firefighter IDs

Note: Multiple firefighter users and controllers can be assigned to a multiple firefighter ID.


CREATING REASONS CODESThe reason codes available for firefighter users are maintained under Superuser Maintenance Reason Codes

STARTING EMERGENCY ACCESS


Starting a firefighter session

Login to the AC system using the firefighter user and launch transaction GRAC_SPMYou will be able to connect to the target system using the firefighter IDs previously assigned


MANAGING LOGS

Running Log CollectionViewing the firefighter reports

Running log collectionForeground mode

The foreground job for log collection can be executed from the “Update Firefighter Log Button” which can be found in the following path:Reports And Analytics Super User Management Reports Consolidated Log Report


RUNNING LOG COLLECTIONBACKGROUND MODE

The Background Job for Log Collection can be scheduled periodically from SM36 using program GRAC_SPM_LOG_SYNC_UPDATE.


THANK [email protected]. KEYLABSTRAINING.COM

mailto:[email protected]

grc 10 training

Education